CVE-2026-28562 HIGH

CVE-2026-28562: wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter

Vendor Gvectors Team

Product wpForo Forum

Weakness CWE-89 · SQLi

Published February 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.

Explanation of Vulnerability in Simple Terms

02Summary

wpForo Forum versions 2.4 through 2.4.14 contain a SQL injection vulnerability in database query handling. An attacker can craft malicious input to execute arbitrary SQL commands and read sensitive data from the forum database, including user credentials and private messages. Update to version 2.4.15 or later to patch this vulnerability.

What an attacker can do

03Attacker Capabilities

Execute SQL commands to read or modify forum database contents, including user data and private messages.

Potential impact on your site

04Site Impact

Forum user accounts, passwords, and private messages can be compromised without warning or user action.

Conditions required to exploit

05Prerequisites

Network access to the forum; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 28, 2026 CVE published

May 11, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28562 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities